WO2016089567A1 - Système de cyber-sécurité et ses procédés de détection et d'atténuation de menaces persistantes avancées - Google Patents

Système de cyber-sécurité et ses procédés de détection et d'atténuation de menaces persistantes avancées Download PDF

Info

Publication number
WO2016089567A1
WO2016089567A1 PCT/US2015/060109 US2015060109W WO2016089567A1 WO 2016089567 A1 WO2016089567 A1 WO 2016089567A1 US 2015060109 W US2015060109 W US 2015060109W WO 2016089567 A1 WO2016089567 A1 WO 2016089567A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
apt
network
resources
services
Prior art date
Application number
PCT/US2015/060109
Other languages
English (en)
Inventor
Avi Chesla
Original Assignee
Empow Cyber Security Ltd.
M&B IP Analysts, LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Empow Cyber Security Ltd., M&B IP Analysts, LLC filed Critical Empow Cyber Security Ltd.
Publication of WO2016089567A1 publication Critical patent/WO2016089567A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication

Definitions

  • the present disclosure generally relates to cyber security systems, and more particularly to detecting and mitigating advanced persistent threats.
  • the Internet provides access to various pieces of information, applications, services, and vehicles for publishing information.
  • the Internet allows users to access services such as banking, e-commerce, e-trading, and other services people access in their daily lives.
  • APT advanced persistent threat
  • An APT is an attack in which an unauthorized hacker gains access to a network and remains undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause direct damage to the network or organization.
  • APT attacks target organizations in sectors with high-value information, such as the national defense, manufacturing, retail, and financial industries.
  • APT solutions include a private cloud sandbox deployment model. Such a model requires complex implementation. Furthermore, reputation and signature based detection mechanisms are considered non zero-day attack technologies. That is, rules are not updated based on previous detected incidents.
  • malware can be injected to a protect environment through an external device, e.g., a USB device or an unsecured network connection (e.g., a public Wi-Fi network). Further, attackers can design malwares that cannot be executed over virtualized or in simulated environments.
  • external device e.g., a USB device or an unsecured network connection (e.g., a public Wi-Fi network).
  • attackers can design malwares that cannot be executed over virtualized or in simulated environments.
  • drawbacks including, for example, programmability capabilities, automatic mitigation, and collaboration.
  • a security defense system that is not programmable to allow changes or adaptations to the way the nature in which the protection means operate, becomes ineffective in a matter of a few days or even few hours because such security systems fail to resist or adapt to any new evasion attempts or new attacks behaviors.
  • Security solutions and in particular solutions for handling APT attacks, do not provide a reliable automatic mitigation capabilities.
  • APT security solutions are not designed for both detection and automatic mitigation.
  • system administrators do not trust currently available APT security solutions to conduct automatic attack mitigation actions due to the high level of false positive alerts generated by such systems.
  • system administrators must often manually analyze the system's logs, decide about the best mitigation action (e.g., most accurate action that mitigate the risk), and only then to provision network control actions that will mitigate the attack.
  • Some embodiments of the disclosure relate to a method for adaptively securing a protected entity against a potential advanced persistent threat (APT).
  • the method comprises probing a plurality of resources in a network prone to be exploited by an APT attacker; operating at least one security service configured to output signals indicative of APT related activity of each of the plurality of probed resources; generating at least one security event respective of the output signals; determining if the at least one security event satisfies at least one workflow rule; and upon determining that the at least one security event satisfies the at least one workflow rule, generating at least one action with respect to the potential APT attack.
  • APT advanced persistent threat
  • Some embodiments of the disclosure relate to a system for adaptively securing a protected entity against a potential advanced persistent threat (APT).
  • the system comprises a processor; and a memory, the memory containing instructions that, when executed by the processor, configure the system to: probe a plurality of resources in a network prone to be exploited by an APT attacker; operate at least one security service configured to output signals indicative of APT related activity of each of the plurality of probed resources; generate at least one security event respective of the output signals; determine if the at least one security event satisfies at least one workflow rule; and generate at least one action with respect to the potential APT attack, upon determining that the at least one security event satisfies the at least one workflow rule.
  • Figure 1 is a diagram of a cyber-security system implemented according to one embodiment.
  • Figure 2 is a block diagram of a security stack module implemented according to one embodiment.
  • Figure 3 illustrates security services utilized by the APT security application according to an embodiment.
  • Figure 4 is a block diagram of the user network and application behavior anomaly security service according to one embodiment.
  • Figure 5 illustrates the processing of security signals and security events by a security stack module according to one embodiment.
  • Figure 6 is an example for a security event derived from a SoA signal.
  • Figures 7-13 illustrate the operation of the cyber security system to detect a potential APT breach occurring in a retail chain.
  • a protected entity may include, for example, a layer-2 (L2) or layer-3 (L3) network element, a server application (e.g., Web, Mail, FTP, Voice and Video conferencing, database, ERP, and so on), "middle boxes" devices (e.g., firewalls, load balancers, NAT, proxies devices etc.), SDN controllers (e.g., OpenFlow controllers and virtual overlay network controllers) and personal computing devices (e.g., PCs, laptops, tablet computers, smartphones, wearable computing devices, etc.).
  • the protected entity may be deployed or otherwise accessed through various computing platforms.
  • the computing platforms may include, but are not limited to, virtualized networks and software defined networks and software defined datacenters (SDNs and SDDCs).
  • the disclosed cyber security system is configured to detect and mitigate multi-vector attack campaigns that carry APT attack campaigns.
  • the APT attack campaigns include, but are not limited to, intelligence gathering stage, network pre- attack probes, malware propagation, information leak, and so on.
  • the disclosed cyber security system achieves comprehensive protection by overcoming the drawbacks of prior art solutions, such of which have been discussed above.
  • the cyber-security system is arranged as a layered architecture allowing the system to adapt to changes in the protected entity and to ongoing attack campaigns.
  • the cyber security system provides the ability to create, define, or program new security applications, to modify the functionality of existing applications, and to easily correlate and create workflows between multiple security applications.
  • a security application is programmed to detect and mitigate a threat to the protected entity, determine which specific resources should be utilized for the protection, determine where the protection should take place, and so on.
  • a security application can be programmed using a set of security services discussed in more detail below.
  • Fig. 1 is an exemplary and non-limiting diagram of the cyber security system 100 utilized to describe the various disclosed embodiments.
  • the cyber security system 100 is configured to protect an entity (hereinafter a "protected entity") 130 communicatively connected in a network 1 10.
  • the cyber security system 100 is also connected to the network 1 10.
  • the network 1 10 may be, but is not limited to, a virtualized network, a software defined network (SDN), a hybrid network, cloud services networks, or any combination thereof.
  • the protected entity 130 may include a client network 130-2 or a designated resource 130-1 , such as a server, a point of sale host, a web service, a mail service, a database service, and so on.
  • the client network 130-2 may be, for example, a local area network (LAN), etc.
  • An SDN can be implemented in wide area networks (WANs), local area networks (LANs), the Internet, metropolitan area networks (MANs), ISP backbones, datacenters, and the like.
  • Each network element in the SDN may be a router, a switch, a bridge, a load balancer, a DPI device, and so on, as well as any virtual instantiations thereof.
  • elements of the SDN include a central SDN controller 140 and a plurality of network elements 150.
  • the central SDN controller 140 communicates with the network elements 150 using an OpenFlow protocol which provides a network abstraction layer for such communication, Net-conf protocol which provides mechanisms to install, manipulate, and delete the configuration of network devices, and so on.
  • the network 1 10 may be a hybrid network in which a SDN is a sub-network of a conventional network in which its elements 150 cannot be programmed by a central SDN controller 140.
  • the cyber security system 100 interfaces with the network 1 10 through the central SDN controller 140.
  • the entire functionality or portion of the functionality of the security system 100 can be integrated in the central SDN controller 140.
  • the functionality of the cyber security system 100 operates directly with the network elements 150 in the data-plane (or it can be a combination of the above). This allows implementing security functions in various locations in the network 1 10 (SDN, Legacy (non-SDN) networks, or hybrid networks) to protect the protected entity 130.
  • the security functions are programmed by the cyber security system 100 to perform any one of, or a combination of, detection, investigation, and mitigation functions (labeled as f1 , f2, and f3 in Fig. 1 ). Such functions are executed during different phases of the operation of the cyber security system 100, i.e., detection, investigation, and mitigation phases and independently programmed by the cyber security system 100. It should be noted that same or all the functions (f1 , f2, and f3) can be implemented, or otherwise performed, in the network 1 10. It should be noted that the security functions can be reused throughout the different phases of the system operation for different purposes.
  • the cyber security system 100 includes a security stack module 1 1 1 and a network services module 1 13.
  • the security stack module 1 1 1 is configured to control and execute the various phases to secure the protected entity 130.
  • the security stack module 1 1 1 is configured to create, control, program, and execute the security functions (f 1 , f2 and f3) through a plurality of security applications or "apps.” The operation of the security stack module 1 1 1 is discussed in greater detail herein below with respect to Fig. 2.
  • the network interface module 1 13 provides an interface layer of the cyber security system 100 with the central SDN controller 140 to allow commutation with SDN- based network elements 150. In another embodiment, the network interface module 1 13 also communicates with "legacy" network elements 170 in the network 1 10.
  • Non-limiting examples for communication drivers that allow the network interface module 1 13 to configure, control, and monitor legacy network elements (and technologies) 170 include, but are not limited to, BGP, BGP flow spec, NetConf, CLIs, NetFlow, Middle-boxes devices drivers (e.g., layer 4 to7 devices such as DPI devices, firewall devices, ADC (application delivery controllers) devices etc.), end point device drivers (mobile, host based security applications), server applications such as DNS applications , Web applications, and so on.
  • BGP BGP flow spec
  • NetConf NetConf
  • CLIs NetFlow
  • Middle-boxes devices drivers e.g., layer 4 to7 devices such as DPI devices, firewall devices, ADC (application delivery controllers) devices etc.
  • end point device drivers mobile, host based security applications
  • server applications such as DNS applications , Web applications, and so on.
  • Fig. 2 shows an exemplary and non-limiting block diagram of the security stack module 1 1 1 .
  • the security stack module 1 1 1 includes the following units: a security application unit 210, a security services unit 220, a data-plane unit 230, and northbound network interface (NBI) 240.
  • the security stack module 1 1 1 is configured with a security services unit 220 and various services provided by the data- plane unit 230 that can be utilized for the execution of different security applications.
  • security applications each one for different purpose
  • various data-plane services can be utilized by services residing in the security services unit 220.
  • the security application unit 210 includes at least one security application (app) 21 1 for APT detection and mitigation inside an organization network.
  • Other security applications designed to provide a different type of security protection or function including, for example, low and slow DoS attacks protection, reputation security intelligence, web page scraping detection and mitigation, volumetric DoS detection and mitigation, can reside in the security application unit 210 as well.
  • different APT security applications can be executed in the security stack module 1 1 1 for different protected tenants.
  • a protected tenant is an entity in the organization or an organization.
  • one APT security application can be programmed to protect HR department resources while another application can programmed to protect resources of the finance department.
  • the HR department and finance departments are different protected tenants.
  • the different resources may be part of a client network (e.g., the client network 132 shown in Fig. 1 ).
  • the cyber security system 100 is designed to allow correlation between security applications in the security applications unit 210 and security services in the security services unit 220 in order to define, create, or otherwise program a robust solution for detecting and mitigating attacks against the protected entity 130-1 or 130-2.
  • the NBI 240 and the security services unit 220 provide the required services for the security applications 21 1 .
  • the APT security application 21 1 is configured to implement pre-defined APIs in order to efficiently communicate with the security services 221 .
  • the security services 221 are designed, in part, to allow identifying behavior of hosts and entities in the organization and detect abnormal network behavior results due to infected users and entities.
  • Each security service 221 is designed to host multiple programmable security decision engines (SDEs, not shown in Fig. 2). The creation and modification of such SDEs can be performed through a SDE programming language.
  • the SDEs, and thereby the security services 221 can allow the cyber security system 100 to adapt to new attack behavior, unknown behaviors, or attacks that utilize new evasion techniques.
  • the security services 221 are also designed to provide an efficient control over security functions (f 1 , f2, and f2) in the network data-plane.
  • the security services 221 utilized by the APT security application 21 1 are discussed in more details below with respect to Fig. 3.
  • the data-plane unit 230 provides central management and control of the data- plane resources, such as routers, switches, middle-box devices, and so on.
  • the data-plane unit 230 allows the security services 221 to retrieve and store the required network and application information from the data plane resources as well as to enforce security related network control actions.
  • Various functions provided by the data-plane unit 230 includes a topology discovery, data collection, traffic redirection, traffic distribution (L2, L3 load balancing for scaling out resources), traffic copy, and so on.
  • Topology discovery involves interacting with the data-plane network elements, SDN controllers, and orchestration systems in order to retrieve network topology information. This function is important for the topology awareness that is needed by other data-planes' functions as well as security services 221 and security applications 21 1 .
  • the traffic copy and redirection functions are designed to manage all network traffic redirection functions which include, but are not limited to, traffic redirection, smart traffic copying, traffic distribution, and so on.
  • the data-plane unit 230 is further configured to provide the following functions: management of quality of service (QoS) actions in the network elements, and a set of mitigation functions.
  • the mitigation functions include basic ACLs services which are layer- 2 to layer-4 access control list services that manage the distributed rules throughout the network elements. Software defined networks as well as legacy network elements 170 and hybrid networks may be supported by this service.
  • Advanced ACL functions are similar in characteristics to the basic ACL functions but can define more granular access rules including application parameters (L7). Specifically, this function can be activated according to the generated risk-chain pattern from the risk-chain pattern generation service (discussed below) as a blocking rule.
  • the function typically operates with DPI network elements, such as, but not limited to, next generation firewalls, security web gateways for enforcing the application level ACL rules. Service rate-limits manage the QoS rules in the data plane device.
  • Black-hole route function provides an extension of the redirection data-plane services that manage redirection of users into a black-hole.
  • black holes are network locations where incoming or outgoing traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient.
  • the data-plane unit 230 provides all information that is required by the security services 221 , and controls the network 1 10 via decisions made by the security services 221 and security applications 21 1 .
  • certain functions provided by the data-plane 230 can be implemented in the central SDN controller 140. Examples for such functions may include, but are not limited to, traffic redirection, topology discovery, and data collection.
  • the NBI 240 interfaces between the security stack module 1 1 1 and one or more external systems (not shown).
  • the external systems may include, for example, third party security analytics systems, security intelligence feeds (e.g., reputation sources), security portals, datacenter orchestration control systems, identity management systems (such as domain controllers), DNS and DHCP services, or any other system that can provide information to the security stack module 1 1 1 .
  • the interfaces may be, but are not limited to, CLI, REST APIs, Web Ul, as well as drivers for control and/or configuration, of external systems and so on.
  • the NBI 240 also interfaces with network services module 1 13.
  • each unit 210, 220, 230, and 240, as well as the security stack module 1 1 1 are communicatively connected through a predefined set of interfaces and/or APIs.
  • the interfaces and/or APIs may be designed to be unidirectional, bidirectional, or one-to-many bi-directional flows of information between the various modules and units.
  • modules in the cyber security system 100 and units 210, 220, and 230 in the security stack module 1 1 1 are independent. Thus, any changes in one unit or module do not necessarily result in any changes to the other modules.
  • one or more security applications 21 1 can be correlated with one or more security services 221 in order to define, create, or otherwise program a robust solution for detecting and mitigating APTs.
  • a security application 21 1 typically correlates security signals generated by multiple security services 221 . This allows a single security application 21 1 to make decisions based on multiple services in order to increase the overall decision accuracy.
  • the correlation among security applications 21 1 is also performed by correlating security events (feeds) generated by other security applications 21 1 , thereby allowing the entire security decision-making process to be more holistic and context-based.
  • the correlation of security events is performed by a set of the workflow rules which are processed and applied by the APT security application 21 1 .
  • the set of workflow rules are defined by the user.
  • a learning mechanism is implemented to modify or select a set of correlation and workflow rules to execute. The correlation process is discussed in greater detail below with respect to Fig. 5.
  • Each, some, or all of the modules of the cyber security system 100 and the various units of the security stack module 1 1 1 may be realized by a processing system.
  • the processing system may comprise or be a component of a larger processing system implemented with one or more processors.
  • the one or more processors may be implemented with any combination of general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • the processing system may also include machine-readable media for storing software.
  • Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system to perform the various functions described herein.
  • Fig. 3 shows an exemplary and non-limiting diagram of the security services 221 and data-plane services 230 utilized by the APT security application 21 1 . It should be noted that the security services 221 (and/or their associated SDEs) can be dynamically added, removed, or modified to provide an accurate and timely detection of APT threats.
  • the following security services 221 may be utilized by the APT security application 21 1 : a user network and application behavior anomaly (UNABA) security service 221 -1 , a sandbox security service 221 -2, a reputation security service 221 -3, a user identity security service 221 -4, an attack signatures security service 221 -5, a user challenge-response security service 221 -6, a real-time risk-chain pattern generation security service 221 -7, an anti-virus (AV) security service 221 -8, a Web application (WAF) security service 221 -9.
  • AV anti-virus
  • WAF Web application
  • the UNABA security service 221 -1 is a service that analyzes host-based traffic behavior.
  • the UNABA security service 221 -1 includes a host profile data structure and a set of SDEs programmed to continuously generate host -based scores of anomaly (SoA).
  • SoA can be any machine or resource connected to a network.
  • a host may include a client device, a server, a database, an end-point terminal (e.g., PoS), and the like.
  • the activity of users utilizing client devices can be derived from the profile learnt for such device.
  • a SoA is a security signal that can be correlated by a security application 21 1 .
  • a high SoA reflects a host traffic anomaly that characterizes different types of network based attacks, such as network pre-attack probes scanning activities (intelligence gathering), malware propagation activities, abnormal remote desktop communication channels, abnormal processes installation channels, brute-force attack activities (user/pass cracking), unexpected traffic flows that represent in general a compromised host, abnormal protocol usage that represent "fake” applications, drop- zone (or drop point) traffic behavior which represents data leak from specific hosts, and so on.
  • the UNABA security service 221 -1 is programmed to continuously learn the network and application connections activities of a host (or a group of hosts).
  • the UNABA security service 221 -1 implements a long-term (e.g., at least 12 weeks) of adaptive baselines per each traffic parameter.
  • the host profile data structure of this service aggregates L2-L7 (layer 2 through layer 7 of the OSI model) parameters as well as application metadata and continuously generates base lines for each parameter (or for multiple parameter functions, such as traffic ratio), including 24 by 7 (24x7) differentiated baselines, i.e., storing base line per time and day in the week .
  • the UNABA security service 221 -1 includes a set of SDEs programmed by a set of engine rules. A user can modify and program new SDEs by defining a new set of engine rules. Each SDE is programmed to continuously generate SoA per each host or hosts group. As noted above, high SoA reflects unusual user/service application activity as mentioned above.
  • a detailed block diagram of the UNABA security service 221 -1 is provided in Fig. 4.
  • the UNABA security service 221 -1 can be programmed to generate SoA that correlates signals from other security services 221 . Such correlation is performed by a set of engine rules discussed in greater detail below.
  • the sandbox security service 221 -2 is programmed to selectively select the required sandbox function that is required to analyze content, such as web objects, mails attachments, executable files, and so on.
  • the sandbox security service 221 -2 is configured to control and manage the sandbox functions resources as well as analyze their outputs according to the correlation and workflow rules.
  • the sandbox security service 221 -2 is configured to activate the most relevant sandbox function according to the ongoing threat.
  • the sandbox security service 221 -2 is instructed to select (instructed by the security application) a sandbox function that is best in analyzing MS based object files and to manage the sand box function to direct its resources on these high risk detected hosts first.
  • the security application is configured (through the security application's workflow and correlation rules) to correlate the sandbox outputs with other security services outputs, such as with the user network and application anomaly security service.
  • the attack signatures security service 221 -5 is configured to allow management of multiple types of intrusion detection and prevention functions in the network.
  • the service allows the security application to define and activate the relevant attack signature policies according to the ongoing detected threat, and monitor the results in a way that can be managed by the security app 21 1 or by other security services 221 .
  • the security application 21 1 will instruct the attack signature service 221 - 5 to activate a brute-force attack signature policy only on the suspicious host to allow accurate and efficient detection of the attack.
  • the reputation security service 221 -3 is configured to allow managing and analyzing of multiple reputation sources (e.g., third party intelligence security sources).
  • the reputation security service 221 -3 is further configured to allow the security application 21 1 to inquiry the most relevant reputation source according to the ongoing detected threat. For example, if the UNABA service 221 -1 identifies suspicious drop zone activity, then the APT security application can instruct the reputation security service 221 -3 to select the most relevant reputation source and to monitor all traffic between the drop zone host(s) and external sites. In this case the reputation security service 221 -3 automatically selects reputation source(s) with a database that has the information about external drop point sites and/or command-and-control (C&C) external servers that are known to be associated with controlling internal drop points servers.
  • C&C command-and-control
  • a user identity security service 221 -4 is configured to allow mapping a source IP address to a network host and user identity. To this end, the user identity security service 221 -4 is configured to query an identity management system such as DNS and DHCP and Domain controllers (e.g., ActiveDirectory).
  • an identity management system such as DNS and DHCP and Domain controllers (e.g., ActiveDirectory).
  • the user challenge-response security service 221 -6 is configured to allow the security application 21 1 to instruct validation of a specific hosts' application through the most appropriate challenge response actions, and according to the on-going detected threat.
  • the user challenge-response security service 221 -5 is configured to activate different types of challenge-response mechanisms according the protocol and application that is to be validated (e.g., HTTP challenge for HTTP protocol related applications communication, DNS challenge for DNS traffic etc.).
  • Another type of security service 221 that can be utilized for detection of APT threats is a real-time risk chain pattern generation security service 221 -7, which is configured to analyze a detected anomaly parameter (e.g., anomaly that was detected by the user network & application anomaly service) and create a pattern that characterizes the anomaly. Such pattern is used for real-time investigation actions and mitigation actions of threats, as well as for forensics analysis.
  • a detected anomaly parameter e.g., anomaly that was detected by the user network & application anomaly service
  • Such pattern is used for real-time investigation actions and mitigation actions of threats, as well as for forensics analysis.
  • the real-time risk chain pattern generation security service 221 - 7 is configured to provide the security application 21 1 the risk chain development pattern, and in return the security application 21 1 decides which security services 221 need to be activated. The decision is based on a set of correlation and workflow rules (that are either set manually or automatically by the system).
  • security services 221 listed above are merely examples and other services can be utilized in the cyber security system 100 according to the embodiments disclosed herein.
  • a programming language is provided in order to allow users to create and modify security applications 21 1 and to create and modify the SDEs contained in each security service 221 , as per business needs.
  • Fig. 4 shows an exemplary block diagram of the UNABA security service 221 -1 according to one embodiment.
  • the UNABA security service 221 -1 is a cornerstone in detecting APT attacks as typically hackers gain access to a network 1 10 and remain undetected for a long period of time by exploiting legitimate users' and servers' hosts in the network 1 10 and pretending normal behavior of such users and servers activities.
  • the UNABA security service 221 -1 includes a host profile module 410, a plurality of user anomaly behavioral SDEs 420, and a set of normalization functions 440.
  • the host profile module 410 is configured to store and compute baseline parameters for the host activity over a period of predefined time (e.g., 12 weeks).
  • the host profile module 410 typically stores baselines of each host traffic parameter as well as baselines of multiple parameters function (e.g., ratios of inbound vs. outbound traffic parameters, relative portions of application traffic parameter, relative frequency, and so on).
  • Each, some, or all of the modules and/or engines of UNABA security service 221 -1 may be realized by a processing system. Examples for such a processing system are provided above.
  • each profile stored in the host profile module 410 is structured with two sections: classification and characteristics.
  • the classification includes host traffic classification parameters in a hierarchy structure. Each hierarchy level is defined as a "flow-path.”
  • the characteristics section includes dynamic characteristics of traffic parameters per each classification flow-path.
  • the characteristics of a traffic parameter include real-time and baselines of rate and rate-invariant parameters.
  • the user anomaly behavioral SDEs 420 are configured to generate based on engine rules and the respective profile and flow-path a SoA per host.
  • real-time as well as adaptive baselines of a host are retrieved from the host profile module 410 and each parameter therein is normalized by normalization functions 440.
  • each parameter or a set of parameters has its own normalization function 440.
  • the adaptive normalization functions are tuned by the adapted base lines in a predetermined time interval. In an embodiment, the time interval is one hour.
  • Each normalization function 440 generates a parameter deviation weight (a behavior anomaly level) in a format that can be processed by the user anomaly behavioral SDEs 420. Normalization functions 440 are also responsible for normalizing signals from other security services 221 as shown in figure 4.
  • the computed SoAs are provided to the APT security application 21 1 , which decides an action to be executed. Such an action may include, for example, activate more SDEs in the detection phase, initiate an investigation phase and activate investigation services, initiate mitigation phase and activate mitigation services , and so on. It should be noted that the security application workflow decisions are based on the real-time risk- chain pattern generation service results (i.e., the risk chain pattern and its progress in time).
  • the UNABA security service 221 -1 can also correlate outputs (signals) of other security services 221 .
  • a typical correlation may be with outputs from, reputation 221 -3, attack signatures 221 -5, and sandbox 221 -2 security services (discussed in detail above).
  • the outputs of the security services 221 (which are inputs to the UNABA security service 221 -1 ) may be integer values, Boolean values, and other values. Such values are normalized by the normalization functions 440 into a format that can be processed by the SDEs of the UNABA security service 221 -1 .
  • the UNABA security service 221 -1 is configured with a set of SDEs 420.
  • Each such SDE 420 is programmed to evaluate or detect host's user or server behavioral anomalies caused due to APTs' activities. These anomalies that each SDE 420 is responsible to evaluate abnormal usage of include, but not limited to, pre-attack research and intelligence gathering activities (manually or automatically generated) such as network probes, application probes, brute-force activities to reveal user/pass, propagation activities, data leak activities, and so on.
  • the propagation activities include, for example, abnormal remote desktop traffic.
  • abnormal traffic may be, but is not limited to, abnormal files copied to or from remote hosts, abnormal processes execution on remote hosts, abnormal service(s) activations/terminations (e.g., FTP or Mail service enablement on some server etc.).
  • Other propagation activities that the SDEs 420 are responsible to detect include, for example, malware spreading/propagation activities, malware automatic brute-force activities, and so on.
  • data leak activities such as abnormal communication of a "crowd" of hosts that are infected with some malware and which upload data to specific host(s) in the organization (defined as internal drop zone or point), abnormal upload of data from hosts that are known to include confidential information to other sites outside of the organization, and so on.
  • SDEs 420 analyzing unexpected traffic flows are also utilized by of the APT security application 21 1 . These SDEs 420 are part of the UNABA security service 221 -1 and analyze the "maturity" of each host in the network 1 10 according to time and traffic parameters. A "mature" host or user that starts to communicate with other network hosts and utilize protocol(s) and/or application(s) not previously used, is flagged as suspicious. Flagged hosts and users are typically involved in one of the attack stages mentioned above (e.g., pre-attack intelligence gathering, propagation or data leak).
  • Other malicious activities that can indicate a potential APT attack include unusual geographic communication (e.g., users communicate with new geographical locations); unusual user's application behavior; unusual content type consumed by a specific application (e.g., binary content to Facebook® or twitter® accounts); hosts connections with unusual traffic symmetry (e.g., unusual upload or download activities, clients that act like servers, etc.); unusual time-based activity (24x7 activity) of hosts based on parameters, such as L4 connection, bandwidth, destinations, application type, abnormal periodic behavior, and so on.
  • unusual geographic communication e.g., users communicate with new geographical locations
  • unusual user's application behavior e.g., binary content to Facebook® or twitter® accounts
  • hosts connections with unusual traffic symmetry e.g., unusual upload or download activities, clients that act like servers, etc.
  • unusual time-based activity 24x7 activity
  • the user anomaly behavioral SDEs 420 can be also configured to detect or evaluate anomalies related to applications executed on a host device. Such anomalies include, for example, unusual DNS traffic (e.g., too many DNS query from the same client, same size of DNS requests from the same client, fast flux behavior (e.g., same domain that is represented by multiple dynamically changed IP addresses); unusual browser types usage, and the like.
  • each user anomaly behavioral SDE 420 generates a SoA that quantifies the deviation of the host's, or hosts group's behavioral parameters from the norm as determined by a respective of profile maintained in the host profile module 410.
  • the SoA may be in a form of an integer value, a Boolean value, or a certain level (e.g., high, low, medium), or any other form that measures level of activity.
  • the SoA is continuously generated, and thereby can be changed over time and can be used to measure trends of anomaly scores.
  • the SoA is generated by a set of decision engine rules that can be processed by each engine in a security service 221 .
  • the engine rules typically include one or more of: a set of Boolean operators (e.g., AND, OR, NOT); a set of weights level (Low, Mid, High); and so on.
  • the generated SoA (signals) are fed to the security application 21 1 .
  • the security application 21 1 can translate the signals into a security event fed to the application's correlation and workflow rule (544). For example, a high SoA value may be translated into a security event, while a low SoA value may not create an event.
  • Fig. 5 shows the processing of security signals according to an exemplary and non-limiting embodiment.
  • each of the security services 510, 520, and 530 generates security signals by means of their respective SDEs.
  • the SDE 510, 520, and 530 may be any of the security services noted above.
  • the security signals are fed to an APT security application 540 that checks if one and/or any combination of the received signals satisfy at least one event rule 542.
  • the security signals may be generated in response to detection of malware activity such as pre-attack intelligence gathering, malware propagation activities, drop zone behavior, and so on.
  • the event rules 542 can be applied on the signal value, duration, and so on.
  • a syntax of the event rule may be defined as follows:
  • the various parameters of the event rule are defined in the exemplary Table 1 .
  • ⁇ Signal attribute> A structure of optional Src ID - Host name, Hosts group, meta data attributes IP address User name
  • the system generates a
  • Fig. 6 shows a security signal derived from a SoA value.
  • the security signal is in a form of a pulse.
  • the event rules 542 define that if the pulse is high (high SoA) for a duration of more than the 25 seconds, then a security event is triggered.
  • An example for an event rule for detecting network scan is:
  • the rule identifies that if the value of the SoA is high for a duration of at least 1 minute, then an event is triggered.
  • the event represents a scan activity, which is part of a pre-attack probe activities.
  • security events generated from signals received only from services 510 and 520 are shown. That is, signals from service 530 did not match any event rule 542.
  • the security events are correlated by the application 540 using the correlation rules 544. As noted above, events that satisfy at least one correlation rule 544 will trigger an action, such as, but not limited to, a mitigation action, an investigation action, and so on.
  • a correlation rule 544 can correlate between a reputation event and a host anomaly event.
  • correlation rules 544 can be defined for the different phases of the operation of the system security application 21 1 , i.e., detection phase, investigation phase, and a mitigation phase.
  • the operation of the security services discussed above can be utilized during the detection phase, investigation phase and mitigation phase of the APT security application.
  • the detection phase can be concluded upon a determination that a potential attack is taken place. Such detection in achieved once a detection correlation rule 544 is satisfied.
  • the investigation phase may be activated in order to validate (or de-validate) and better define the attack behavior.
  • This phase is typically a more advanced detection phase that narrows down the scope of suspicious hosts and identifies more specific traffic flows associated with the anomaly from and to these hosts.
  • the investigation phase can be utilized to reduce the false positive event rate into a level that allows accurate mitigation of the threat, filter out unnecessary logs, and to evaluate the potential impact of the security incident. Further, the investigation phase allows for making an educated decision about the level of mitigation operations.
  • the operation of investigation phase may be performed by the various security services described above. Specifically, the following security services can be utilized during the investigation phase.
  • the attack signature security service 221 -5, the reputation security service 221 -3, the sandbox security service 221 -2, the Anti-Virus (AV) service 221 - 8, and the user challenge/response security service 221 -6 which can be also used in the mitigation phase.
  • the following describes the operation of the cyber security system 100 to detect an APT campaign that was result with a breach occurred in a retail chain.
  • confidential information of customers is targeted (e.g., credit cards, passwords, identities, and social security numbers).
  • the following is a discussion of the APT attack lifecycle and implementations of the disclosed APT security applications and engines to prevent such an attack.
  • Fig. 7 the first stage of the attack is illustrated. In this stage, an intrusion is performed into a retail store's network 710.
  • the retail store's network 170 is the first point from which the entire attack campaign is conducted.
  • the attack begins with an intrusion into one of the retail store's external contractors 720.
  • the attacker uses the Citadel malware through the use of a phishing email campaign.
  • This malware is designed to steal personal information and credentials through man in the browser (MitB) techniques.
  • the malware is used in order to steal web application credentials within an infected machine browser of the external (HVAC) contractor 720 of the retail store.
  • Fig. 8 refers to the intrusion second stage of the attack during which a retail store web services intrusion has occurred.
  • the attacker uses the contractor's stolen credentials to gain access into the retail store's web hosted web services 730.
  • These web services 730 are dedicated to the retail store's partners.
  • the contractor 720 is a partner having access to some electronic billing, contracting submission, and project management services.
  • the attacker uses the stolen credentials in order to gain access from the Internet into the web services 730 and then exploit web service vulnerabilities.
  • Such vulnerabilities allow the attacker to execute code (scripts) on the retail store's web applications. This operation allows the attacker to executable OS commands of the web service host.
  • the intrusion stage can be detected by the UNABA security service 221 -1 and WAF security service 221 -9.
  • the UNABA security service 221 -1 would detect unusual upload behavior to web services and the security application 21 1 would correlate that with WAF logs provided by the WAF security service 221 -9 that indicate possible "injection'Vweb intrusion" activity.
  • the UNABA security service 221 -1 would include a profile of each partner (e.g., contractor) with access to the retail store's network 710. Abnormal upload activity would be detected based on data symmetry parameters, the source geographical location, and activity time (as an example, others parameters may use).
  • the UNABA security service 221 -1 would operate on data collected, for example, by DPIs connected at edge routers of the retail store's network 710.
  • the security application 21 1 can include a correlation rule that correlates between triggered events, such as abnormal user activity of certain type (e.g., the abnormal upload activity) and a WAF log of certain type that represent a code injection.
  • Fig. 9 refers to intelligence gathering and the identification of targets by the APT attacker. Once the attacker can run operating system commands on a host of the web services, the attacker can start generating intelligence gathering operations (also known as "pre-attack probes"). These operations, which can be done manually or automatically through attack tools, allow the attacker to gather information about the retail store's network 710, and thus find the relevant targets for the next steps in the attack life cycle.
  • intelligence gathering operations also known as "pre-attack probes”
  • Targets in the retail store are services that maintain credit cards and/or social security numbers information.
  • Such services can include databases 770 and point of sales machines 760.
  • the attacker queries the DNS 750 to retrieve the IP addresses of such servers (again, this can be done automatically or manually).
  • the UNABA security service 221 -1 can detect the gathering of information by identifying unexpected hosts' traffic activities and anomaly protocol usage (e.g., abnormal LDAP query rates per host, abnormal DNS resolve rates per host, abnormal amount and rate of protocol error response per host and server, new and unexpected application flows that are generated by the host), Such anomalies can be detected by the security decision engines executed by the UNABA security service 221 -1 .
  • the SDEs can be dynamically programmed by a set of engine rules.
  • Fig. 10 describes the stage of installing processes. After finding the PoS service names 760 and DB service names 770, the attacker needs to propagate processes into the network elements that can access these services and then take control and install other processes that can steal and send out the credit cards information.
  • the attacker operates to get hold of the domain administrative privileges (e.g., within a Microsoft® network) using "pass-the-hash" attack techniques.
  • the pass-the-hash attack allows the attacker to steal a token that resides inside the hosts' memory (that an administrator has used), which represents the password of the administrator (called NT hash).
  • NT hash represents the password of the administrator
  • the attacker has privileges to access and install processes on different network elements.
  • the attacker uses network scanners such as "Angry IP Scanner", NMAP, and the likes. A scanner is used in order to find which computers are accessible from the current web servers.
  • the attacker In order to bypass detected firewalls rules that block access to some network element or server, the attacker utilizes tools that can tunnel through the firewalls (e.g., port forwarding IT tools that utilize traffic encapsulation techniques, etc.) and then executes new processes on the target hosts, or on hosts that can access these targets.
  • tools that can tunnel through the firewalls e.g., port forwarding IT tools that utilize traffic encapsulation techniques, etc.
  • the UNABA security service 221 - 1 would detect abnormal wide connection distribution with abnormal portion of connection that are non-complete (in this attack case, all are originated by the compromised web services hosts.
  • an anti-virus security service 221 -8 can be activated (by the security application) to scan the web services hosts and look for evidence of installed scanning tools.
  • the security application 21 1 correlates events that are triggered due to network scanning activities from 221 -1 and events from the anti-virus detection services.
  • Fig. 1 1 describes the penetration and control stage. At this stage the attacker installs new processes on the target servers hosts or hosts that have access to these targets. With this aim, the attacker can use different types of remote desktop, processes execution tools, and the administrator credentials, remote desktop tools (e.g., a RDP and a PsExec). Using these remote tools and administrator credentials, the attacker is able to run scripts on the DB services 770 and install malware on the PoS servers 760.
  • remote desktop tools e.g., a RDP and a PsExec
  • the attacker For collecting the credit cards and personal information (such as social security numbers) from the target services, the attacker uses MS SQL query tools. In order to search and steal information from the PoS machines 760 directly, the attacker uses the 'kaptoxa' malware on all PoS machines 760. The attacker installs the malware using the tools mentioned herein above. The malware scans (scrapes) the memory of the PoS 760 and when the malware identifies a credit card pattern it opens a communication socket and sends the credit card pattern to an internal drop zone. It should be noted that in the case of the PoS machine 760, the malware must quickly send the credit card information before such information is removed from the RAM of the PoS. As long as the information resides in the RAM it is usually in its un-encrypted form, therefore sending it directly from the RAM insures easy visibility into the card numbers.
  • the UNABA security service 221 -1 is configured to identify unusual usage of remote-desktop and remote process execution tools, such as Telnet, RDP, VNC, PuTTY, in the network 1 10.
  • SDEs in the UNABA security service 221 -1 identify activities, such as hosts that are generating traffic associated with such tools to destination hosts. In a normal network behavior, such hosts typically do not communicate with remote desktop applications. The SDEs can also identify, for example, if the usage pattern of these remote-desktop or application deviates from the usual pattern.
  • the security application 21 1 can instruct the anti-virus security service 221 -8 to scan the target hosts of which the detected remote-desktop and remote processes tools are communicating with (e.g., PoS and DB services hosts) and to search for malware related evidences (e.g., PoS related malware such as the Kaptoxa malware).
  • the security application 21 1 correlates (according to the correlation and workflow rules) the security events from received from the security services 221 -1 and 221 -9 in order to decide about the next actions.
  • Fig. 12 refers to the collecting stolen information stage.
  • the attacker creates a file share service 780 on a remote server inside the target network (this is typically done also by a remote desktop application that the attacker will use with its credential to enable services).
  • the malware on PoS 760, scrapes the RAM memory of the host, identifies credit-cards' number patterns and send these numbers to file share server using the SMB protocols (this last activity is defined as an internal drop zone activity).
  • the UNABA security service 221 -1 would identify the abnormal remote desktop that enables the file share service, as well as the internal drop zone activity.
  • the UNABA security service 221 -1 identifies the internal drop zone activity by a SDE that analyzes the connection distribution, the L7 protocol distribution, as well as the traffic symmetry.
  • a SDE that analyzes the connection distribution, the L7 protocol distribution, as well as the traffic symmetry.
  • an abnormal narrow connection distribution multiple hosts that communicate with a single host
  • an abnormal narrow L7 protocol distribution abnormal common protocol
  • as well as abnormal upload traffic symmetry would result with high SoA generated by this SDE.
  • Fig. 13 refers to the stage of sending out stolen credit cards' information. Once such information arrives to the file share server, which is also an FTP enabled machine 780, a script on the machine sends the file to the attacker's controlled FTP account (an external host), using an internal FTP client.
  • the file share server which is also an FTP enabled machine 780
  • a script on the machine sends the file to the attacker's controlled FTP account (an external host), using an internal FTP client.
  • the UNABA and reputation security services 221 -1 and 221 -3 are utilized.
  • the UNABA security service 221 -1 would identify the unusual source and destination with an upload behavior activity, periodic upload behavior during unusual hours of operation, and a source with a new protocol usage (not limited by these parameters).
  • the security application 21 1 will instruct the reputation security service 221 -3 to provide intelligence information about the external destination IP address.
  • the security application 21 1 correlates the signals from the security services 221 -1 and 221 -3 generate an action according to the correlation and workflow rules (e.g., in case the external IP has high bad reputation score, which is associated with known public drop points then the action will be to block this traffic through the mitigation phase services).
  • the various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof.
  • the software is preferably implemented as an application program tangibly embodied on a program storage unit or non-transitory computer readable medium consisting of parts, or of certain devices and/or a combination of devices.
  • the application program may be uploaded to, and executed by, a machine comprising any suitable architecture.
  • the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs"), a memory, and input/output interfaces.
  • CPUs central processing units
  • the computer platform may also include an operating system and microinstruction code.
  • a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
  • any reference to an element herein using a designation such as "first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise a set of elements comprises one or more elements.

Abstract

La présente invention concerne un procédé et un système permettant de sécuriser de manière adaptative une entité protégée contre une menace persistante avancée (APT) potentielle. Le procédé consiste à sonder une pluralité de ressources dans un réseau susceptible d'être exploité par un attaquant par APT ; à mettre en œuvre au moins un service de sécurité configuré pour sortir des signaux indicatifs d'une activité associée à une APT de chaque ressource de la pluralité de ressources sondées ; à générer au moins un événement de sécurité respectif des signaux de sortie ; à déterminer si ledit événement de sécurité satisfait au moins une règle de flux de travail ; et, lors de la détermination du fait que ledit événement de sécurité satisfait ladite règle de flux de travail, à générer au moins une action par rapport à l'attaque par APT potentielle.
PCT/US2015/060109 2014-12-01 2015-11-11 Système de cyber-sécurité et ses procédés de détection et d'atténuation de menaces persistantes avancées WO2016089567A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201462085844P 2014-12-01 2014-12-01
US62/085,844 2014-12-01

Publications (1)

Publication Number Publication Date
WO2016089567A1 true WO2016089567A1 (fr) 2016-06-09

Family

ID=56092237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/060109 WO2016089567A1 (fr) 2014-12-01 2015-11-11 Système de cyber-sécurité et ses procédés de détection et d'atténuation de menaces persistantes avancées

Country Status (1)

Country Link
WO (1) WO2016089567A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888607A (zh) * 2017-11-28 2018-04-06 新华三技术有限公司 一种网络威胁检测方法、装置及网络管理设备
CN108259449A (zh) * 2017-03-27 2018-07-06 新华三技术有限公司 一种防御apt攻击的方法和系统
CN110222715A (zh) * 2019-05-07 2019-09-10 国家计算机网络与信息安全管理中心 一种基于动态行为链和动态特征的样本同源分析方法
CN112242991A (zh) * 2019-07-17 2021-01-19 卡巴斯基实验室股份制公司 用于关联事件来检测信息安全事故的系统和方法
US20220277107A1 (en) * 2021-03-01 2022-09-01 Fortanix, Inc. Confidential computing workflows
CN115051820A (zh) * 2022-03-01 2022-09-13 深圳开源互联网安全技术有限公司 一种多维度防暴力破解方法、装置、设备及可读存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040114519A1 (en) * 2002-12-13 2004-06-17 Macisaac Gary Lorne Network bandwidth anomaly detector apparatus, method, signals and medium
US20040143756A1 (en) * 1999-05-11 2004-07-22 Munson John C. Method of and system for detecting an anomalous operation of a computer system
US20130276122A1 (en) * 2012-04-11 2013-10-17 James L. Sowder System and method for providing storage device-based advanced persistent threat (apt) protection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040143756A1 (en) * 1999-05-11 2004-07-22 Munson John C. Method of and system for detecting an anomalous operation of a computer system
US20040114519A1 (en) * 2002-12-13 2004-06-17 Macisaac Gary Lorne Network bandwidth anomaly detector apparatus, method, signals and medium
US20130276122A1 (en) * 2012-04-11 2013-10-17 James L. Sowder System and method for providing storage device-based advanced persistent threat (apt) protection

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11405419B2 (en) 2017-03-27 2022-08-02 New H3C Technologies Co., Ltd. Preventing advanced persistent threat attack
CN108259449A (zh) * 2017-03-27 2018-07-06 新华三技术有限公司 一种防御apt攻击的方法和系统
WO2018177210A1 (fr) * 2017-03-27 2018-10-04 新华三技术有限公司 Défense contre une attaque apt
CN108259449B (zh) * 2017-03-27 2020-03-06 新华三技术有限公司 一种防御apt攻击的方法和系统
CN107888607B (zh) * 2017-11-28 2020-11-06 新华三技术有限公司 一种网络威胁检测方法、装置及网络管理设备
CN107888607A (zh) * 2017-11-28 2018-04-06 新华三技术有限公司 一种网络威胁检测方法、装置及网络管理设备
CN110222715A (zh) * 2019-05-07 2019-09-10 国家计算机网络与信息安全管理中心 一种基于动态行为链和动态特征的样本同源分析方法
CN110222715B (zh) * 2019-05-07 2021-07-27 国家计算机网络与信息安全管理中心 一种基于动态行为链和动态特征的样本同源分析方法
CN112242991A (zh) * 2019-07-17 2021-01-19 卡巴斯基实验室股份制公司 用于关联事件来检测信息安全事故的系统和方法
CN112242991B (zh) * 2019-07-17 2023-08-25 卡巴斯基实验室股份制公司 用于关联事件来检测信息安全事故的系统和方法
US20220277107A1 (en) * 2021-03-01 2022-09-01 Fortanix, Inc. Confidential computing workflows
US11481515B2 (en) * 2021-03-01 2022-10-25 Fortanix, Inc. Confidential computing workflows
CN115051820A (zh) * 2022-03-01 2022-09-13 深圳开源互联网安全技术有限公司 一种多维度防暴力破解方法、装置、设备及可读存储介质
CN115051820B (zh) * 2022-03-01 2024-03-22 深圳开源互联网安全技术有限公司 一种多维度防暴力破解方法、装置、设备及可读存储介质

Similar Documents

Publication Publication Date Title
US11115437B2 (en) Cyber-security system and methods thereof for detecting and mitigating advanced persistent threats
US11616791B2 (en) Process-specific network access control based on traffic monitoring
US10003608B2 (en) Automated insider threat prevention
US11057349B2 (en) Cloud-based multi-function firewall and zero trust private virtual network
US10601853B2 (en) Generation of cyber-attacks investigation policies
US11616761B2 (en) Outbound/inbound lateral traffic punting based on process risk
US9832227B2 (en) System and method for network level protection against malicious software
US9892270B2 (en) System and method for programmably creating and customizing security applications via a graphical user interface
US10855656B2 (en) Fine-grained firewall policy enforcement using session app ID and endpoint process ID correlation
WO2016089567A1 (fr) Système de cyber-sécurité et ses procédés de détection et d'atténuation de menaces persistantes avancées
US11803647B2 (en) Computer system vulnerability lockdown mode
CN111295640A (zh) 使用会话app id和端点进程id相关性的精细粒度防火墙策略实施
Buecker et al. Stopping Internet Threats Before They Affect Your Business by Using the IBM Security Network Intrusion Prevention System
Bhatraju et al. Malware Analysis for Proactive Defence on Cyber Threat Vulnerabilities
Chieffalo et al. The Internet of Things-An Engineering Approach to Combating a Potential Skynet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15865478

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15865478

Country of ref document: EP

Kind code of ref document: A1